Linked by Thom Holwerda on Fri 17th Jun 2011 18:49 UTC
Privacy, Security, Encryption Oh boy, what do we make of this? We haven't paid that much attention to the whole thing as of yet, but with a recent public statement on why they do what they do, I think it's about time to address this thing. Yes, Lulz Security, the hacking group (or whatever they are) that's been causing quite a bit of amok on the web lately.
Thread beginning with comment 477779
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[7]: Bah - Hackers are not criminals
by jabbotts on Sun 19th Jun 2011 19:40 UTC in reply to "RE[6]: Bah - hacking skills"
jabbotts
Member since:
2007-09-06


So banks should be employing thieves when they design their bank vaults? Having a generally idea about how hacking works is useful, yes, but specific knowledge is worthless for this purpose.


Let's get the confusion out of the way first. The majority of Hackers are in fact law abiding folks. It's a mental approach to solving problems; a skill set, creativity and curiosity. It is not an indication of ethics or morality. While some folks use hacking skills to break the law, the majority do not.

Hacking is not even inherently computer security or computer related. Law abiding hackers are seen in all areas of interest. Hams; radio hackers. Gearheads; car hackers. Audiophiles; stereo hackers. The US authors of the constitution; political hackers. Builders; physical hackers. Computer Case Modders; case hackers. Researchers who find and responsibly report software bugs; usually software and security hackers. The folks who wrote most of that FOSS software you use daily; software hackers. It's simply a creative curiosity and need to learn applied to any topic of interest and usually resulting in finding ways to use a thing beyond how it was intended.

If what you mean is "someone who breaks the law" then the word you are looking for is "criminal" not "Hacker". A criminal using methods previously discovered by hackers does not make the criminal a hacker any more than using the directions to assemble Ikea furniture makes one a master carpenter.

Now, on to your points.

Should a bank hire thieves to design bank vaults? I'd say it's up to the business management to decide. There are a few ex-cons who now work as contractors testing bank security. I've seen interviews with at least one who specializes in vault security. There are also many physical security hackers (ie. penetration testers) who've never broken the law; the bank may consider hiring one of them instead.

Having a general idea about how a break in occurs helps but it's really not the same as someone with the hacker mind and permission actually breaking in and going "here's how I got in, here's what I could do once in."


Unfortunately this makes your system "better" by trial and error, not by design.


It's not done in a vaccume. You design a secure system and let the guys on your team with the Hacker mind think of ways the system could fail. You update your specs. Once you actually implement the test system you let the Hacker minds try to break it then address how it fails. You repeat this in testing until satisfied that it's reasonable for production use. You then regularly test the production system or a lab duplicate of it to see what new ways it fails which you then address.

Why do you suggest that it's one or the other? Why do you suggest that "design" is inherently superior and need never be tested?


Obviously I'm not referring to those and also not referring to hackers who hack on code rather than break into systems.


Obviously the word you should be using then is "criminals". And, if you did indeed recognize the difference, why did you open this last comment with asking if banks should be hiring criminals to design bank vaults? Was there something to be gained by sensationalizing your comments by referring to "teh 3vi1z hax0rz3z"?

If you did indeed recognize the difference then my first comment stands; how do you know your system is indeed secure if you've never let it be tested by hackers? If you haven't any hackers on your admin or info sec teams then obviously you have room to improve simply by addressing your current lack of creative "outside the box" self motivated staff.

Reply Parent Score: 3

Soulbender Member since:
2005-08-18

So, we're pretty much in agreement. You should hire hackers, as in the words original meaning, and not morons like LulzSec and Anonymous. Unfortunately there seems to be quite a number of IT execs who think hiring those kind of morons is the right thing to do for improving security. That's a problem
Computer Security is not black-magic arts that only whizkid geniuses understand, it's an engineering practice.
It's unfortunate that the word hacker has, in the mainstream media, come to mean the LulzSec kind of person and not the, say, Linus Torvarlds or Theo DeRaadt kind.

Edited 2011-06-19 21:23 UTC

Reply Parent Score: 2

RE[9]: Bah - Bingo.
by jabbotts on Mon 20th Jun 2011 00:54 in reply to "RE[8]: Bah - Hackers are not criminals"
jabbotts Member since:
2007-09-06

(would have saved me a lot of typing if this post appeared before I finished my last near short essay of a post)

But, bingo. I meant hackers in the proper sense of the word. Not the media sensationalized criminals and crackers or kids who waste skills with the antics of lulzsec. In those terms, we do agree.

Reply Parent Score: 2